Project

Profile

Help

Story #6352

Updated by bmbouter over 4 years ago

This story has two parts: 

 1. Switching to urlencoding instead of newline stripping for X.509 certificates 
 2. Switching to certificates being submitted to nginx and https via TLS and not as a header. 
 3. Replace the storage of CA certificates from being on the filesystem to being being stored in the DB (same as RHSM Cert Guard) 

 ### Urlencoding 

 Recently we learned that urlencoding is a better way to encode certificates in headers. For example nginx has a field to specifically the [$ssl_client_escaped_cert](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_escaped_cert) variable. For apache the following config will also perform url encoding: 

 ``` 
 RequestHeader set X-CLIENT-CERT "expr=%{escape:%{SSL_CLIENT_CERT}s}" 
 ``` 

 ### Cert Submission via TLS 

 User's want to use the cert and key together in TLS to assert the client has the key and not just the cert. Thus when the server has the client's cert they both have it and also know the client can prove cryptographic ownership of the cert. 

 ### Changing how CA certificates are stored Two changes together? 

 All certificates in Pulp are in the database except for this one. This These changes need to come together because changing either one will require the migration 0001 need to other to be rewritten, but since it's never GA'd this should be acceptable. ported to match. Effectively, doing them separately would double the work.

Back